<html>
    <head>
      <base href="https://bugs.llvm.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - EmitGEPOffset() incorrectly adds NUW to multiplications"
   href="https://bugs.llvm.org/show_bug.cgi?id=42699">42699</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>EmitGEPOffset() incorrectly adds NUW to multiplications
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>libraries
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Transformation Utilities
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>nunoplopes@sapo.pt
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvm-bugs@lists.llvm.org, regehr@cs.utah.edu, sanjoy@playingwithpointers.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>The following transformation in test/Transforms/InstCombine/sub.ll exposes a
bug in EmitGEPOffset() that dates back to 2011.
It assumes that 'gep inbounds' guarantees that %i * 4 doesn't overflow
unsigned, which isn't true since %i could be negative.
Changing nuw to nsw makes it correct.

Alive's report:

define i64 @test30(* %foo, i64 %i, i64 %j) {
  %bit = bitcast * %foo to *
  %gep1 = gep inbounds * %bit, 4 x i64 %i
  %gep2 = gep inbounds * %foo, 1 x i64 %j
  %cast1 = ptrtoint * %gep1 to i64
  %cast2 = ptrtoint * %gep2 to i64
  %sub = sub i64 %cast1, %cast2
  ret i64 %sub
}
=>
define i64 @test30(* %foo, i64 %i, i64 %j) {
  %gep1.idx = shl nuw i64 %i, 2
  %1 = sub i64 %gep1.idx, %j
  ret i64 %1
}
Transformation doesn't verify!
ERROR: Target is more poisonous than source

Example:
* %foo = pointer(non-local, block_id=0, offset=8)
i64 %i = -1
i64 %j = 0

Source:
* %bit = pointer(non-local, block_id=0, offset=8)
* %gep1 = pointer(non-local, block_id=0, offset=4)
* %gep2 = pointer(non-local, block_id=0, offset=8)
i64 %sub = -4

Target:
i64 %gep1.idx = poison
i64 %1 = poison

Source value: -4
Target value: poison</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>